| 192 |
- |
1 |
# Easy-RSA 3 parameter settings
|
|
|
2 |
|
|
|
3 |
# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
|
|
|
4 |
# this file in place -- instead, you should copy the entire easy-rsa directory
|
|
|
5 |
# to another location so future upgrades don't wipe out your changes.
|
|
|
6 |
|
|
|
7 |
# HOW TO USE THIS FILE
|
|
|
8 |
#
|
|
|
9 |
# vars.example contains built-in examples to Easy-RSA settings. You MUST name
|
|
|
10 |
# this file 'vars' if you want it to be used as a configuration file. If you do
|
|
|
11 |
# not, it WILL NOT be automatically read when you call easyrsa commands.
|
|
|
12 |
#
|
|
|
13 |
# It is not necessary to use this config file unless you wish to change
|
|
|
14 |
# operational defaults. These defaults should be fine for many uses without the
|
|
|
15 |
# need to copy and edit the 'vars' file.
|
|
|
16 |
#
|
|
|
17 |
# All of the editable settings are shown commented and start with the command
|
|
|
18 |
# 'set_var' -- this means any set_var command that is uncommented has been
|
|
|
19 |
# modified by the user. If you're happy with a default, there is no need to
|
|
|
20 |
# define the value to its default.
|
|
|
21 |
|
|
|
22 |
# NOTES FOR WINDOWS USERS
|
|
|
23 |
#
|
|
|
24 |
# Paths for Windows *MUST* use forward slashes, or optionally double-escaped
|
|
|
25 |
# backslashes (single forward slashes are recommended.) This means your path to
|
|
|
26 |
# the openssl binary might look like this:
|
|
|
27 |
# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
|
|
|
28 |
|
|
|
29 |
# A little housekeeping: DON'T EDIT THIS SECTION
|
|
|
30 |
#
|
|
|
31 |
# Easy-RSA 3.x doesn't source into the environment directly.
|
|
|
32 |
# Complain if a user tries to do this:
|
|
|
33 |
if [ -z "$EASYRSA_CALLER" ]; then
|
|
|
34 |
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
|
|
|
35 |
echo "This is no longer necessary and is disallowed. See the section called" >&2
|
|
|
36 |
echo "'How to use this file' near the top comments for more details." >&2
|
|
|
37 |
return 1
|
|
|
38 |
fi
|
|
|
39 |
|
|
|
40 |
# DO YOUR EDITS BELOW THIS POINT
|
|
|
41 |
|
|
|
42 |
# This variable is used as the base location of configuration files needed by
|
|
|
43 |
# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF)
|
|
|
44 |
# may override this default.
|
|
|
45 |
#
|
|
|
46 |
# The default value of this variable is the location of the easyrsa script
|
|
|
47 |
# itself, which is also where the configuration files are located in the
|
|
|
48 |
# easy-rsa tree.
|
|
|
49 |
|
|
|
50 |
#set_var EASYRSA "${0%/*}"
|
|
|
51 |
|
|
|
52 |
# If your OpenSSL command is not in the system PATH, you will need to define the
|
|
|
53 |
# path to it here. Normally this means a full path to the executable, otherwise
|
|
|
54 |
# you could have left it undefined here and the shown default would be used.
|
|
|
55 |
#
|
|
|
56 |
# Windows users, remember to use paths with forward-slashes (or escaped
|
|
|
57 |
# back-slashes.) Windows users should declare the full path to the openssl
|
|
|
58 |
# binary here if it is not in their system PATH.
|
|
|
59 |
|
|
|
60 |
#set_var EASYRSA_OPENSSL "openssl"
|
|
|
61 |
#
|
|
|
62 |
# This sample is in Windows syntax -- edit it for your path if not using PATH:
|
|
|
63 |
#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
|
|
|
64 |
|
|
|
65 |
# Edit this variable to point to your soon-to-be-created key directory. By
|
|
|
66 |
# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the
|
|
|
67 |
# directory you are currently in).
|
|
|
68 |
#
|
|
|
69 |
# WARNING: init-pki will do a rm -rf on this directory so make sure you define
|
|
|
70 |
# it correctly! (Interactive mode will prompt before acting.)
|
|
|
71 |
|
|
|
72 |
#set_var EASYRSA_PKI "$PWD/pki"
|
|
|
73 |
|
|
|
74 |
# Define directory for temporary subdirectories.
|
|
|
75 |
|
|
|
76 |
#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI"
|
|
|
77 |
|
|
|
78 |
# Define X509 DN mode.
|
|
|
79 |
# This is used to adjust what elements are included in the Subject field as the DN
|
|
|
80 |
# (this is the "Distinguished Name.")
|
|
|
81 |
# Note that in cn_only mode the Organizational fields further below aren't used.
|
|
|
82 |
#
|
|
|
83 |
# Choices are:
|
|
|
84 |
# cn_only - use just a CN value
|
|
|
85 |
# org - use the "traditional" Country/Province/City/Org/OU/email/CN format
|
|
|
86 |
|
|
|
87 |
#set_var EASYRSA_DN "cn_only"
|
|
|
88 |
|
|
|
89 |
# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
|
|
|
90 |
# These are the default values for fields which will be placed in the
|
|
|
91 |
# certificate. Don't leave any of these fields blank, although interactively
|
|
|
92 |
# you may omit any specific field by typing the "." symbol (not valid for
|
|
|
93 |
# email.)
|
|
|
94 |
|
|
|
95 |
#set_var EASYRSA_REQ_COUNTRY "US"
|
|
|
96 |
#set_var EASYRSA_REQ_PROVINCE "California"
|
|
|
97 |
#set_var EASYRSA_REQ_CITY "San Francisco"
|
|
|
98 |
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
|
|
|
99 |
#set_var EASYRSA_REQ_EMAIL "me@example.net"
|
|
|
100 |
#set_var EASYRSA_REQ_OU "My Organizational Unit"
|
|
|
101 |
|
|
|
102 |
# Choose a size in bits for your keypairs. The recommended value is 2048. Using
|
|
|
103 |
# 2048-bit keys is considered more than sufficient for many years into the
|
|
|
104 |
# future. Larger keysizes will slow down TLS negotiation and make key/DH param
|
|
|
105 |
# generation take much longer. Values up to 4096 should be accepted by most
|
|
|
106 |
# software. Only used when the crypto alg is rsa (see below.)
|
|
|
107 |
|
|
|
108 |
#set_var EASYRSA_KEY_SIZE 2048
|
|
|
109 |
|
|
|
110 |
# The default crypto mode is rsa; ec can enable elliptic curve support.
|
|
|
111 |
# Note that not all software supports ECC, so use care when enabling it.
|
|
|
112 |
# Choices for crypto alg are: (each in lower-case)
|
|
|
113 |
# * rsa
|
|
|
114 |
# * ec
|
|
|
115 |
# * ed
|
|
|
116 |
|
|
|
117 |
#set_var EASYRSA_ALGO rsa
|
|
|
118 |
|
|
|
119 |
# Define the named curve, used in ec & ed modes:
|
|
|
120 |
|
|
|
121 |
#set_var EASYRSA_CURVE secp384r1
|
|
|
122 |
|
|
|
123 |
# In how many days should the root CA key expire?
|
|
|
124 |
|
|
|
125 |
#set_var EASYRSA_CA_EXPIRE 3650
|
|
|
126 |
|
|
|
127 |
# In how many days should certificates expire?
|
|
|
128 |
|
|
|
129 |
#set_var EASYRSA_CERT_EXPIRE 825
|
|
|
130 |
|
|
|
131 |
# How many days until the next CRL publish date? Note that the CRL can still be
|
|
|
132 |
# parsed after this timeframe passes. It is only used for an expected next
|
|
|
133 |
# publication date.
|
|
|
134 |
|
|
|
135 |
# How many days before its expiration date a certificate is allowed to be
|
|
|
136 |
# renewed?
|
|
|
137 |
#set_var EASYRSA_CERT_RENEW 30
|
|
|
138 |
|
|
|
139 |
#set_var EASYRSA_CRL_DAYS 180
|
|
|
140 |
|
|
|
141 |
# Random serial numbers by default, set to no for the old incremental serial numbers
|
|
|
142 |
#
|
|
|
143 |
#set_var EASYRSA_RAND_SN "yes"
|
|
|
144 |
|
|
|
145 |
|
|
|
146 |
# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
|
|
|
147 |
# is "no" to discourage use of deprecated extensions. If you require this
|
|
|
148 |
# feature to use with --ns-cert-type, set this to "yes" here. This support
|
|
|
149 |
# should be replaced with the more modern --remote-cert-tls feature. If you do
|
|
|
150 |
# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
|
|
|
151 |
# this defined to "no". When set to "yes", server-signed certs get the
|
|
|
152 |
# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
|
|
|
153 |
# nsComment field.
|
|
|
154 |
|
|
|
155 |
#set_var EASYRSA_NS_SUPPORT "no"
|
|
|
156 |
|
|
|
157 |
# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
|
|
|
158 |
# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
|
|
|
159 |
|
|
|
160 |
#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate"
|
|
|
161 |
|
|
|
162 |
# A temp file used to stage cert extensions during signing. The default should
|
|
|
163 |
# be fine for most users; however, some users might want an alternative under a
|
|
|
164 |
# RAM-based FS, such as /dev/shm or /tmp on some systems.
|
|
|
165 |
|
|
|
166 |
#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp"
|
|
|
167 |
|
|
|
168 |
# !!
|
|
|
169 |
# NOTE: ADVANCED OPTIONS BELOW THIS POINT
|
|
|
170 |
# PLAY WITH THEM AT YOUR OWN RISK
|
|
|
171 |
# !!
|
|
|
172 |
|
|
|
173 |
# Broken shell command aliases: If you have a largely broken shell that is
|
|
|
174 |
# missing any of these POSIX-required commands used by Easy-RSA, you will need
|
|
|
175 |
# to define an alias to the proper path for the command. The symptom will be
|
|
|
176 |
# some form of a 'command not found' error from your shell. This means your
|
|
|
177 |
# shell is BROKEN, but you can hack around it here if you really need. These
|
|
|
178 |
# shown values are not defaults: it is up to you to know what you're doing if
|
|
|
179 |
# you touch these.
|
|
|
180 |
#
|
|
|
181 |
#alias awk="/alt/bin/awk"
|
|
|
182 |
#alias cat="/alt/bin/cat"
|
|
|
183 |
|
|
|
184 |
# X509 extensions directory:
|
|
|
185 |
# If you want to customize the X509 extensions used, set the directory to look
|
|
|
186 |
# for extensions here. Each cert type you sign must have a matching filename,
|
|
|
187 |
# and an optional file named 'COMMON' is included first when present. Note that
|
|
|
188 |
# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
|
|
|
189 |
# fallback to $EASYRSA for the 'x509-types' dir. You may override this
|
|
|
190 |
# detection with an explicit dir here.
|
|
|
191 |
#
|
|
|
192 |
#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
|
|
|
193 |
|
|
|
194 |
# If you want to generate KDC certificates, you need to set the realm here.
|
|
|
195 |
#set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM"
|
|
|
196 |
|
|
|
197 |
# OpenSSL config file:
|
|
|
198 |
# If you need to use a specific openssl config file, you can reference it here.
|
|
|
199 |
# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the
|
|
|
200 |
# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
|
|
|
201 |
# specific and you cannot just use a standard config file, so this is an
|
|
|
202 |
# advanced feature.
|
|
|
203 |
|
|
|
204 |
#set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
|
|
|
205 |
|
|
|
206 |
# Default CN:
|
|
|
207 |
# This is best left alone. Interactively you will set this manually, and BATCH
|
|
|
208 |
# callers are expected to set this themselves.
|
|
|
209 |
|
|
|
210 |
#set_var EASYRSA_REQ_CN "ChangeMe"
|
|
|
211 |
|
|
|
212 |
# Cryptographic digest to use.
|
|
|
213 |
# Do not change this default unless you understand the security implications.
|
|
|
214 |
# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
|
|
|
215 |
|
|
|
216 |
#set_var EASYRSA_DIGEST "sha256"
|
|
|
217 |
|
|
|
218 |
# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
|
|
|
219 |
# in batch mode without any user input, confirmation on dangerous operations,
|
|
|
220 |
# or most output. Setting this to any non-blank string enables batch mode.
|
|
|
221 |
|
|
|
222 |
#set_var EASYRSA_BATCH ""
|
|
|
223 |
|